MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2025-02-17 01:06:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into master

Browse source
This commit is contained in:
Deborah Servili 2019-09-04 14:42:47 +02:00 committed by GitHub
commit 718ea55dd7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 646 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
__pycache__

24
clusters/ransomware.json
View file

@ -13471,7 +13471,29 @@
},
"uuid": "6cfa553a-1e1b-115a-401f-015d681470b1",
"value": "GetCrypt"
},
{
"description": "A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.",
"meta": {
"payment-method": "Bitcoin",
"price": "1000 $",
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections"
]
},
"uuid": "6cfa554a-1e2b-115a-400f-014d671470b1",
"value": "Nemty"
},
{
"description": "Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.",
"meta": {
"refs": [
"https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit"
]
},
"uuid": "6cfa554a-1e1b-114a-300f-013d671370b0",
"value": "Buran"
}
],
"version": 64
"version": 66
}

558
clusters/target-information.json
View file

@ -1493,7 +1493,7 @@
"Zhōnghuá Rénmín Gònghéguó"
],
"territory-type": [
""
"Country"
]
},
"uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6",
@ -2154,7 +2154,7 @@
"currency": [
"$",
"USD",
"United States dollara"
"United States dollar"
],
"iso-code": [
"SV",
@ -2517,10 +2517,27 @@
"calling-code": [
"+241"
],
"capital": [
"Libreville"
],
"currency": [
"Central African CFA franc",
"XAF"
],
"iso-code": [
"GA",
"GAB"
],
"official-languages": [
"French"
],
"synomyms": [
"Gabonese Republic",
"République gabonaise"
],
"territory-type": [
"Country"
],
"top-level-domain": ".ga"
},
"uuid": "8e70d742-c708-4a9e-8ab1-6a8a90306ccf",
@ -2531,10 +2548,28 @@
"calling-code": [
"+220"
],
"capital": [
"Banjul"
],
"currency": [
"Dalasi",
"GMD"
],
"iso-code": [
"GM",
"GMB"
]
],
"official-languages": [
"English"
],
"synomyms": [
"The Gambia",
"Republic of The Gambia"
],
"territory-type": [
"Country"
],
"top-level-domain": ".gm"
},
"uuid": "2ded2689-16c3-4476-a2d8-04c4bc51ae4a",
"value": "Gambia"
@ -2544,10 +2579,32 @@
"calling-code": [
"+995"
],
"capital": [
"Tbilisi"
],
"currency": [
"Georgian lari",
"₾",
"GEL"
],
"iso-code": [
"GE",
"GEO"
],
"official-languages": [
"Georgian",
"Abkhazian"
],
"synomyms": [
"საქართველო",
"sakartvelo",
"Republic of Georgia",
"საქართველოს რესპუბლიკა",
"sakartvelos resp'ublik'a"
],
"territory-type": [
"Country"
],
"top-level-domain": ".ge"
},
"uuid": "76c2f2fe-ce68-4008-aa30-1ac8de38d617",
@ -2558,6 +2615,14 @@
"calling-code": [
"+49"
],
"capital": [
"Berlin"
],
"currency": [
"€",
"EUR",
"EURO"
],
"iso-code": [
"DE",
"DEU"
@ -2565,6 +2630,17 @@
"member-of": [
"NATO"
],
"official-languages": [
"German"
],
"synomyms": [
"Deutschland",
"Federal Republic of Germany",
"Bundesrepublik Deutschland"
],
"territory-type": [
"Country"
],
"top-level-domain": ".de"
},
"uuid": "4121d334-39d0-49c4-8a0e-0442c6bdcbc4",
@ -2575,10 +2651,26 @@
"calling-code": [
"+233"
],
"capital": [
"Accra"
],
"currency": [
"Ghanaian cedi",
"GHS"
],
"iso-code": [
"GH",
"GHA"
],
"official-languages": [
"English"
],
"synomyms": [
"Republic of Ghana"
],
"territory-type": [
"Country"
],
"top-level-domain": ".gh"
},
"uuid": "6f7a0f04-8299-4a2d-95d0-a8305a1ae23e",
@ -2589,10 +2681,29 @@
"calling-code": [
"+350"
],
"capital": [
"Gibraltar"
],
"currency": [
"Gibraltar pound",
"£",
"GIP"
],
"iso-code": [
"GI",
"GIB"
]
],
"official-languages": [
"English"
],
"synomyms": [
"جبل طارق",
"Jabal Ṭāriq"
],
"territory-type": [
"British Overseas Territory"
],
"top-level-domain": ".gi"
},
"uuid": "078a914d-7ef3-413b-8a62-2473b8db1c12",
"value": "Gibraltar"
@ -2602,6 +2713,14 @@
"calling-code": [
"+30"
],
"capital": [
"Athens"
],
"currency": [
"€",
"EUR",
"EURO"
],
"iso-code": [
"GR",
"GRC"
@ -2609,6 +2728,19 @@
"member-of": [
"NATO"
],
"official-languages": [
"Greek"
],
"synomyms": [
"Hellas",
"Ελλάς",
"Hellenic Republic",
"Ελληνική Δημοκρατία",
"Ellinikí Dimokratía"
],
"territory-type": [
"sovereign state"
],
"top-level-domain": ".gr"
},
"uuid": "505730f7-2637-4efb-845d-f1af7cdca109",
@ -2619,10 +2751,28 @@
"calling-code": [
"+299"
],
"capital": [
"Nuuk"
],
"currency": [
"Danish krone",
"DKK"
],
"iso-code": [
"GL",
"GRL"
]
],
"official-languages": [
"Greenandic"
],
"synomyms": [
"Kalaallit Nunaat",
"Grønland"
],
"territory-type": [
"Country"
],
"top-level-domain": ".gl"
},
"uuid": "20f2c544-093d-4964-84ae-7d5fd54ad6d0",
"value": "Greenland"
@ -2632,10 +2782,23 @@
"calling-code": [
"+1-473"
],
"capital": [
"St. George's"
],
"currency": [
"East Caribbean dollar",
"XCD"
],
"iso-code": [
"GD",
"GRD"
],
"official-languages": [
"English"
],
"territory-type": [
"sovereign state"
],
"top-level-domain": ".gd"
},
"uuid": "1aea4486-eef7-496b-9a69-a2d2bdbe7b77",
@ -2646,10 +2809,30 @@
"calling-code": [
"+1-671"
],
"capital": [
"Hagåtña"
],
"currency": [
"$",
"USD",
"United States dollar"
],
"iso-code": [
"GU",
"GUM"
]
],
"official-languages": [
"English",
"Chamorro"
],
"synomyms": [
"Guåhån",
"Territory of Guam"
],
"territory-type": [
"Unincorporated organized territory"
],
"top-level-domain": ".gu"
},
"uuid": "4dc24d07-79ee-43b7-98a0-53bc79a29708",
"value": "Guam"
@ -2659,10 +2842,27 @@
"calling-code": [
"+502"
],
"capital": [
"Guatemala City"
],
"currency": [
"Quetzal",
"GTQ"
],
"iso-code": [
"GT",
"GTM"
],
"official-languages": [
"Spanish"
],
"synomyms": [
"Republic of Guatemala",
"República de Guatemala"
],
"territory-type": [
"Country"
],
"top-level-domain": ".gt"
},
"uuid": "3e3e89d2-07f3-4ddc-addf-2d5cb05bedd1",
@ -2673,10 +2873,30 @@
"calling-code": [
"+44-1481"
],
"capital": [
"St Peter Port"
],
"currency": [
"Guernsey Pound",
"Pound sterling",
"GGP",
"GBP"
],
"iso-code": [
"GG",
"GGY"
]
],
"official-languages": [
"English",
"French"
],
"synomyms": [
"Guernési"
],
"territory-type": [
"Jurisdiction"
],
"top-level-domain": ".gg"
},
"uuid": "dd42b40e-2740-46f5-9bb1-6d0799a081c7",
"value": "Guernsey"
@ -2686,10 +2906,30 @@
"calling-code": [
"+224"
],
"capital": [
"Conakry"
],
"currency": [
"Guinean franc",
"GNF"
],
"iso-code": [
"GN",
"GIN"
],
"official-languages": [
"French"
],
"synomyms": [
"Ginee",
"Guinée",
"Republic of Guinea",
"Renndaandi Ginee",
"République de Guinée (French)"
],
"territory-type": [
"Country"
],
"top-level-domain": ".gn"
},
"uuid": "f227edf8-e538-45b8-8a70-1a05ea5a605b",
@ -2700,10 +2940,28 @@
"calling-code": [
"+245"
],
"capital": [
"Bisseau"
],
"currency": [
"West African CFA franc",
"XOF"
],
"iso-code": [
"GW",
"GNB"
],
"official-languages": [
"Portuguese"
],
"synomyms": [
"Guiné-Bissau",
"Republic of Guinea-Bissau",
"República da Guiné-Bissau"
],
"territory-type": [
"Country"
],
"top-level-domain": ".gw"
},
"uuid": "3b5824bc-936e-4403-bdc9-4dd9a7db36e3",
@ -2714,10 +2972,26 @@
"calling-code": [
"+592"
],
"capital": [
"Georgetown"
],
"currency": [
"Guyanese dollar",
"GYD"
],
"iso-code": [
"GY",
"GUY"
],
"official-languages": [
"English"
],
"synomyms": [
"Co-operative Republic of Guyana"
],
"territory-type": [
"Country"
],
"top-level-domain": ".gy"
},
"uuid": "cb9fbca4-6cc6-4f83-9ebc-4e975cddea69",
@ -2728,10 +3002,33 @@
"calling-code": [
"+509"
],
"capital": [
"Port-au-Prince"
],
"currency": [
"Haitian gourde",
"G",
"HTG"
],
"iso-code": [
"HT",
"HTI"
],
"official-languages": [
"French",
"Haitian Creole"
],
"synomyms": [
"Haïti",
"Ayiti",
"Republic of Haiti",
"République d'Haïti",
"Repiblik Ayiti",
"Hayti"
],
"territory-type": [
"Country"
],
"top-level-domain": ".ht"
},
"uuid": "595dd000-64ac-43b5-be17-0f52eff47459",
@ -2742,10 +3039,27 @@
"calling-code": [
"+504"
],
"capital": [
"Tegucigalpa"
],
"currency": [
"Lempira",
"HNL"
],
"iso-code": [
"HN",
"HND"
],
"official-languages": [
"Spanish"
],
"synomyms": [
"Republic of Honduras",
"República de Honduras"
],
"territory-type": [
"Country"
],
"top-level-domain": ".hn"
},
"uuid": "74a66006-ce2b-4280-abd1-e6f14ff9b926",
@ -2756,10 +3070,25 @@
"calling-code": [
"+852"
],
"currency": [
"Hong Kong dollar",
"HK$",
"HKD"
],
"iso-code": [
"HK",
"HKG"
],
"official-languages": [
"Chinese",
"English"
],
"synomyms": [
"Hong Kong Special Administrative Region of the People's Republic of China"
],
"territory-type": [
"special administrative region"
],
"top-level-domain": ".hk"
},
"uuid": "51c8ffc5-5453-4bf8-b100-74186d9a0de0",
@ -2770,6 +3099,13 @@
"calling-code": [
"+36"
],
"capital": [
"Budapest"
],
"currency": [
"Forint",
"HUF"
],
"iso-code": [
"HU",
"HUN"
@ -2777,6 +3113,15 @@
"member-of": [
"NATO"
],
"official-languages": [
"Hungarian"
],
"synomyms": [
"Magyarország"
],
"territory-type": [
"Country"
],
"top-level-domain": ".hu"
},
"uuid": "adc52cee-5668-498d-8111-db1c38a584c5",
@ -2787,6 +3132,13 @@
"calling-code": [
"+354"
],
"capital": [
"Reykjavík"
],
"currency": [
"Icelandic króna",
"ISK"
],
"iso-code": [
"IS",
"ISL"
@ -2794,6 +3146,15 @@
"member-of": [
"NATO"
],
"official-languages": [
"Icelandic"
],
"synomyms": [
"Ísland"
],
"territory-type": [
"Country"
],
"top-level-domain": ".is"
},
"uuid": "5bcfbed4-d9af-40ab-bcbd-013cad252570",
@ -2804,10 +3165,29 @@
"calling-code": [
"+91"
],
"capital": [
"New Delhi"
],
"currency": [
"Indian rupee",
"₹",
"INR"
],
"iso-code": [
"IN",
"IND"
],
"official-languages": [
"Hindi",
"English"
],
"synomyms": [
"Republic of India",
"Bhārat Gaṇarājya"
],
"territory-type": [
"Country"
],
"top-level-domain": ".in"
},
"uuid": "283a7b58-9fa6-48c8-95bc-9ece77b5b2ea",
@ -2818,10 +3198,28 @@
"calling-code": [
"+62"
],
"capital": [
"Jakarta"
],
"currency": [
"Indonesian rupiah",
"Rp",
"IDR"
],
"iso-code": [
"ID",
"IDN"
],
"official-languages": [
"Indonesian"
],
"synomyms": [
"Republic of Indonesia",
"Republik Indonesia"
],
"territory-type": [
"Country"
],
"top-level-domain": ".id"
},
"uuid": "417b5c63-a388-45d1-b104-cede98b13fe0",
@ -2832,10 +3230,30 @@
"calling-code": [
"+98"
],
"capital": [
"Tehran"
],
"currency": [
"Rial",
"ریال",
"IRR"
],
"iso-code": [
"IR",
"IRN"
],
"official-languages": [
"Persian"
],
"synomyms": [
"Persia",
"Islamic Republic of Iran",
"جمهوری اسلامی ایران",
"Jomhuri-ye Eslāmi-ye Irān"
],
"territory-type": [
"Country"
],
"top-level-domain": ".ir"
},
"uuid": "12b32332-ead1-4f69-be61-69ab1ed27d01",
@ -2846,10 +3264,36 @@
"calling-code": [
"+964"
],
"capital": [
"Baghdad"
],
"currency": [
"Iraqi dinar",
"IQD"
],
"iso-code": [
"IQ",
"IRQ"
],
"official-languages": [
"Arabic",
"Kurdish"
],
"synomyms": [
"العراق",
"al-'Irāq",
"عێراق‎",
"Êraq",
"Republic of Iraq",
"جمهورية العراق",
"کۆماری عێراق",
"کۆمارا ئێـراقێ",
"Jumhūrīyyat al-'Irāq",
"Komarî Êraq"
],
"territory-type": [
"Country"
],
"top-level-domain": ".iq"
},
"uuid": "625f37bd-fe48-4791-ac1e-be8d069643a1",
@ -2860,10 +3304,29 @@
"calling-code": [
"+353"
],
"capital": [
"Dublin"
],
"currency": [
"€",
"EUR",
"EURO"
],
"iso-code": [
"IE",
"IRL"
],
"official-languages": [
"Irish",
"English"
],
"synomyms": [
"Éire",
"Republic of Ireland"
],
"territory-type": [
"Country"
],
"top-level-domain": ".ie"
},
"uuid": "b1243ef1-78f4-4e10-841d-bc61361f21f8",
@ -2874,10 +3337,32 @@
"calling-code": [
"+44-1624"
],
"capital": [
"Douglas"
],
"currency": [
"Pound sterling",
"GBP",
"Manx pound",
"IMP"
],
"iso-code": [
"IM",
"IMN"
]
],
"official-languages": [
"English",
"Manx"
],
"synomyms": [
"Mannin",
"Ellan Vannin",
"Mann"
],
"territory-type": [
"Crown dependency"
],
"top-level-domain": ".im"
},
"uuid": "57855966-b290-47e2-b098-1d903f4163b8",
"value": "Isle of Man"
@ -2887,10 +3372,29 @@
"calling-code": [
"+972"
],
"capital": [
"Jerusalem"
],
"currency": [
"New shekel",
"₪",
"ILS"
],
"iso-code": [
"IL",
"ISR"
],
"official-languages": [
"Hebrew"
],
"synomyms": [
"יִשְׂרָאֵל",
"إِسْرَائِيل‎",
"State of Israel"
],
"territory-type": [
"Country"
],
"top-level-domain": ".il"
},
"uuid": "3273414a-8331-44cc-b3f6-890bf2363607",
@ -2901,6 +3405,14 @@
"calling-code": [
"+39"
],
"capital": [
"Rome"
],
"currency": [
"€",
"EUR",
"EURO"
],
"iso-code": [
"IT",
"ITA"
@ -2908,6 +3420,17 @@
"member-of": [
"NATO"
],
"official-languages": [
"Italian"
],
"synomyms": [
"Italia",
"Italian Republic",
"Repubblica Italiana"
],
"territory-type": [
"Country"
],
"top-level-domain": ".it"
},
"uuid": "1bcc0b11-d906-40ea-910c-a1124c4d82bd",
@ -2918,10 +3441,29 @@
"calling-code": [
"+225"
],
"capital": [
"Yamoussoukro",
"Abidjan"
],
"currency": [
"West African CFA franc",
"XOF"
],
"iso-code": [
"CI",
"CIV"
],
"official-languages": [
"French"
],
"synomyms": [
"Côte d'Ivoire",
"Republic of Côte d'Ivoire",
"République de Côte d'Ivoire"
],
"territory-type": [
"Country"
],
"top-level-domain": ".ci"
},
"uuid": "c1aac71f-b060-4816-9369-451df1550883",

26
clusters/threat-actor.json
View file

@ -3735,10 +3735,12 @@
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
"https://attack.mitre.org/groups/G0037/"
"https://attack.mitre.org/groups/G0037/",
"https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/"
],
"synonyms": [
"Skeleton Spider"
"Skeleton Spider",
"ITG08"
]
},
"related": [
@ -4675,7 +4677,8 @@
"https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html"
],
"synonyms": [
"Machete"
"Machete",
"machete-apt"
]
},
"uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3",
@ -6911,7 +6914,11 @@
"https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware",
"https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf",
"https://threatpost.com/ta505-servhelper-malware/140792/",
"https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/"
"https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/",
"https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/"
],
"synonyms": [
"SectorJ04 Group"
]
},
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
@ -7643,6 +7650,15 @@
"uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d",
"value": "TA428"
},
{
"meta": {
"refs": [
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"
]
},
"uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",
"value": "LYCEUM"
},
{
"description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.",
"meta": {
@ -7694,5 +7710,5 @@
"value": "SectorJ04"
}
],
"version": 129
"version": 131
}

0
tools/__init__.py Normal file
View file

33
tools/chk_dup.py
View file

@ -8,9 +8,19 @@ import os
import collections
def loadjsons(path):
def loadjsons(path, return_paths=False):
"""
Find all Jsons and load them in a dict
Find all Jsons and load them in a dict
Parameters:
path: string
return_names: boolean, if the name of the file should be returned,
default: False
Returns:
List of parsed file contents.
If return_paths is True, then every list item is a tuple of the
file name and the file content
"""
files = []
data = []
@ -18,9 +28,14 @@ def loadjsons(path):
if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'):
files.append(name)
for jfile in files:
data.append(json.load(open("%s/%s" % (path, jfile))))
filepath = os.path.join(path, jfile)
if return_paths:
data.append((filepath, json.load(open(filepath))))
else:
data.append(json.load(json.load(open(filepath))))
return data
if __name__ == '__main__':
"""
Iterate all name + synonyms
@ -33,19 +48,19 @@ if __name__ == '__main__':
items = djson.get('values')
for entry in items:
name = entry.get('value').strip().lower()
counter[name]+=1
counter[name] += 1
namespace.append([name, djson.get('name')])
try:
for synonym in entry.get('meta').get('synonyms'):
name = synonym.strip().lower()
counter[name]+=1
counter[name] += 1
namespace.append([name, djson.get('name')])
except (AttributeError, TypeError):
pass
counter = dict(counter)
for key, val in counter.items():
if val>1:
print ("Warning duplicate %s" % key)
if val > 1:
print("Warning duplicate %s" % key)
for item in namespace:
if item[0]==key:
print (item)
if item[0] == key:
print(item)

24
tools/chk_empty_strings.py Executable file
View file

@ -0,0 +1,24 @@
#!/usr/bin/env python3
# coding=utf-8
"""
Tools to find empty string entries in galaxies
"""
from .chk_dup import loadjsons
import sys
if __name__ == '__main__':
jsons = loadjsons("clusters", return_paths=True)
retval = 0
for clustername, djson in jsons:
items = djson.get('values')
for entry in items:
name = entry.get('value')
for key, value in entry.get('meta', {}).items():
if isinstance(value, list):
if '' in value:
retval = 1
print("Empty string found in Cluster %r: values/%s/meta/%s"
"" % (clustername, name, key),
file=sys.stderr)
sys.exit(retval)

3
validate_all.sh
View file

@ -84,3 +84,6 @@ do
fi
echo ''
done
# check for empyt strings in clusters
python3 -m tools.chk_empty_strings